DailyExpenseTracker
v1.0.1DailyExpenseTracker API integration for recording expenses, checking balances, and managing transactions. Use when user mentions expenses, spending, transact...
⭐ 0· 411·0 current·0 all-time
byGurpreet Kait@gurpreetkaits
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and description match an expense-tracking integration and the SKILL.md contains reasonable API endpoints (transactions, wallets, categories). However, the SKILL.md expects an API token and refers to storing it under skills.entries.det.apiToken in openclaw.json, yet the skill metadata declares no required env vars or config paths. That mismatch (declared requirements: none vs instructions: require token/config) is an incoherence.
Instruction Scope
Instructions tell the agent to call the DET API with a Bearer token, cache wallet IDs locally after first fetch, and use a default wallet ID if unspecified. The doc also uses an environment variable ($DET_TOKEN) in curl examples while separately saying the token should be set in openclaw.json. The SKILL.md therefore references agent config, environment variables, and local caching without specifying where or how data is persisted or how secrets are read — granting broad discretion and creating ambiguity about what the agent will read/write at runtime.
Install Mechanism
No install spec and no code files (instruction-only). That minimizes installation risk because nothing is downloaded or written by a provided installer. Risk arises from the runtime instructions rather than an install step.
Credentials
The skill clearly needs an API token to call the service, but the registry metadata lists no required env vars or config paths. The SKILL.md contradicts itself by referencing both skills.entries.det.apiToken (openclaw.json) and $DET_TOKEN. This inconsistency makes it unclear which credential is required and where it will be stored or read from — raising confidentiality and least-privilege concerns.
Persistence & Privilege
always:false (no forced persistence) which is appropriate. However, the instructions explicitly state 'Cache wallet IDs locally after first fetch' without specifying storage location, retention, or access controls. That implies the skill will persist data on the agent (or in its config) and should be clarified before use.
Scan Findings in Context
[no-findings] expected: The regex scanner reported no findings. This is expected because the skill is instruction-only (no code files) so there was nothing for the static scanner to analyze. The SKILL.md itself contains the runtime behavior to evaluate.
What to consider before installing
Before installing or enabling this skill, confirm where the API token will be stored and how it will be read (openclaw.json vs environment variable). Ask the author to: (1) declare required config paths or environment variables in the skill metadata, (2) clarify caching behavior (exact file/path, retention, and access permissions), and (3) provide guidance on token scoping (use a least-privilege token). Do not provide high-privilege credentials until you verify storage is secure and the token is limited to only the actions this skill needs (create/read transactions, list wallets). If you cannot get clear answers or the skill insists on storing secrets in an obvious plaintext location, treat it as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97a5jsns8vznmrhzkcsct547s81k1xp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.